Qinglong Task Scheduler RCE Vulnerabilities Exploited in the Wild
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
In early 2026, two critical authentication bypass vulnerabilities<\/a> in the popular open-source Qinglong task scheduler were actively exploited by hackers.<\/p>\n According to Snyk security reports, unauthenticated attackers breached publicly accessible panels, achieving remote code execution to install a hidden, resource-draining cryptominer named\u00a0.fullgc.<\/p>\n Qinglong is a self-hosted task scheduling dashboard that supports multiple scripting languages, including Python 3 and JavaScript.<\/p>\n Snyk notes that the project has gained massive popularity, particularly among the Chinese developer community, accumulating over 19,000 stars on GitHub.<\/p>\n Users frequently deploy the platform on cloud virtual private servers and home networks using Docker containers<\/a>.<\/p>\n Around February 7, 2026, administrators began noticing abnormal activity. BleepingComputer highlights that sudden CPU spikes pushed server capacity to 100%.<\/p>\n Attackers exploited the unpatched flaws to modify Qinglong\u2019s configuration script, quietly downloading the. fullgc\u00a0cryptominer disguised as a Java garbage<\/a> collection process.<\/p>\n This deceptive naming convention was designed to delay administrative investigations while the malware consumed system resources.<\/p>\n The attacks were made possible by two severe flaws in Qinglong versions 2.20.1 and earlier.<\/p>\n Snyk researchers explain that both vulnerabilities stem from a mismatch between the security middleware<\/a> assumptions and the Express.js framework\u2019s routing behavior.<\/p>\n CVE-2026-3965, detailed in GitHub Issue #2933, arises from a URL rewrite rule that incorrectly maps This flaw allows an attacker to reinitialize and reset administrative credentials with a single unauthenticated request.<\/p>\n CVE-2026-4047, detailed in GitHub Issue #2934, exploits case-insensitive URL handling<\/a> by altering request casing (e.g., Snyk\u2019s vulnerability database shows<\/a> that this grants direct remote code execution without requiring a credential reset.<\/p>\n The exploitation remained largely unnoticed by the English-speaking security community while wreaking havoc on developer forums.<\/p>\n Initially, GitHub pull requests<\/a> showed the community attempting to mitigate the threat by filtering malicious inputs, but this proved inadequate against the underlying access control flaw.<\/p>\n The maintainers ultimately resolved the vulnerability by directly fixing the middleware\u2019s authentication logic.<\/p>\n To secure their systems, operators should immediately update their Docker containers, audit for hidden\u00a0.fullgc\u00a0files, and place self-hosted panels behind secure VPNs<\/a>.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Qinglong Task Scheduler RCE Vulnerabilities Exploited in the Wild<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nCryptomining Campaign<\/strong><\/h2>\n
\/open\/*<\/code> requests to protected \/api\/*<\/code> endpoints.<\/p>\n\/aPi\/<\/code>) to bypass protections on \/api\/<\/code> endpoints.<\/p>\nIncident Timeline<\/strong><\/h2>\n
\n